SITEMAP
Introduction
There is an Aviatrix feature called “BGP Route Approval” that could be enabled on Aviatrix Gateways (Aviatrix Docs – BGP Route Approval). According to the Aviatrix documentation:
The Aviatrix Transit Gateway, BGP-enable Spoke Gateway, and Edge Gateway dynamically learns BGP routes from remote sites. These learned routes are reported to the Aviatrix Controller which propagates and programs the route entries of a Spoke VPC or VNet route table. There are scenarios where you may require an approval process before learned CIDRs are propagated to the Spoke VPC or VNet.
The Route Approval feature maintains two lists of CIDRs: “Approved CIDR” list and “Pending CIDR” list:
- “Pending CIDR”- is a list of CIDRs that remote BGP Peer advertises to us but we do not have them installed/accepted on Aviatrix Gateway yet,
- “Approved CIDR” – is a list of CIDRs that remote BGP Peer advertises to us nad we have accepted/installed on Aviatrix Gateway.
The Route Approval feature could operate in two Modes (it must be set up per Gateway):
– “Gateway Mode”, in this mode “Approved CIDR” and “Pending CIDR” lists are maintaned for all connections established by Gateway,
– “Connection Mode”, in this mode “Approved CIDR” and “Pending CIDR” lists are maintened separately for each connection established by Gateway.
This blog article presents two scripts that validate Approved CIDRs and notifies the admin whenever the change is detected between the baseline and the current state.
There are two versions of the script that checks and notify about the changes related to “different things”:
- Version 1 (“today vs yesterday”) of the script is meant to be scheduled every day. The script checks the current results (from “today”) and compares to the results generated “yesterday”. The script prints the differences in the command line and sends a notification e-mail. V1 supports only “Connection Mode” Route Approval feature.
- Version 2 (“golden list”) of the script leverages “golden list” files that store the desired list of approved CIDRs. The script (v2) compares the current results to the information taken from “golden list” files. The script (v2) prints the differences in the command line and sends a notification e-mail. V2 supports both “Connection Mode” and “Gateway Mode” Route Approval feature.
Script - version 1 ("yesterday vs today")
The script creates the following 4 files for each BGP connection:
- transit-gw-name_connection_connection-name_approved_cidr_list_date_yyyy-mm-dd.csv The purpose of the file is to keep a list of all approved CIDRs.
- transit-gw-name_connection_connection-name_pending_cidr_list_date_yyyy-mm-dd.csv The purpose of the file is to keep a list of all pending CIDRs.
- transit-gw-name_connection_connection-name_total_approved_cidr_date_yyyy-mm-dd.csv The purpose of the file is to keep the total number of approved CIDRs.
- transit-gw-name_connection_connection-name_total_pending_cidr_date_yyyy-mm-dd.csv The purpose of the file is to keep the total number of approved CIDRs.
Additionaly, the script also generates some outputs and sends notification e-mails. The script generates the outputs that show the following pieces of information:
- name of the Aviatrix Transit Gateway that has been checked
- name of each connection
- for each connection: number of approved CIDRs for today and yesterday
- for each connection: number of pending CIDRs for today and yesterday
In case the number of CIDRs (either approved or pending) between today and yesterday is not equal -> script sends a notification e-mail(s).
Example of notification e-mails:
Script - version 2 ("golden list")
The “golden list CIDRs” are kept in golden_list folder.
- For Gateway that operates in “Connection Mode”:
there is 1 file required per each BGP connection and this file must be created before running the script:
transit-gw-name_connection_connection-name_approved_cidr_list_golden_list.csv
- For Gateway that operates in “Gateway Mode”:
there is 1 file required per Gateway and this file must be created before running the script:
transit-gw-name_Gateway-Mode_approved_cidr_list_golden_list.csv
The purpose of the golden file is to keep a list of all approved CIDRs.
During the script execution the following 4 files are created in temp_files folder for each BGP connection:
- transit-gw-name_connection_connection-name_approved_cidr_list_date_yyyy-mm-dd.csv The purpose of the file is to keep a list of all approved CIDRs.
- transit-gw-name_connection_connection-name_pending_cidr_list_date_yyyy-mm-dd.csv The purpose of the file is to keep a list of all pending CIDRs.
- transit-gw-name_connection_connection-name_total_approved_cidr_date_yyyy-mm-dd.csv The purpose of the file is to keep the total number of approved CIDRs.
- transit-gw-name_connection_connection-name_total_pending_cidr_date_yyyy-mm-dd.csv The purpose of the file is to keep the total number of approved CIDRs.
Please notice that if a gateway operates in “Gateway Mode” the filenames will contain “Gateway-Mode” instead of “connection_connection-name“.
Besides the files that are created by the script, the script also generates some outputs and sends notification e-mails. The script generates the outputs that show the following pieces of information:
- name of the Aviatrix Transit Gateway that has been checked
- name of each connection
- for each connection (in case “Connection Mode” is used): a full list of CIDRs that are present in the “golden list” but are not approved by Route Approval Feature
- for each connection (in case “Connection Mode” is used): a full list of CIDRs that are approved by Route Approval Feature but are not present in the “golden list”
- for each gateway (in case “Gateway Mode” is used): a full list of CIDRs that are present in the “golden list” but are not approved by Route Approval Feature
- for each gateway (in case “Gateway Mode” is used): a full list of CIDRs that are approved by Route Approval Feature but are not present in the “golden list”
In case the list of CIDRs (either approved or pending) between current check and “golden list” is not equal -> script sends a notification e-mail(s).
Example of notification e-mails:
